Kartones Blog

Rate Limiting is something that most projects get as a feature late, but that the earlier it comes the better for everyone. Any non-trivial service you use will have rate limits, whenever is a soft limit ("your XXXXX service can only handle Y operations per second on your current pricing tier") or a hard limit ("any table on the database cannot have more than 12k columns per table"), and this is good, because unbounded resources are points of failure. Without restrictions on an HTTP API, you're not only allowing abusive clients to DOS the platform, you're also risking any internal developer mistake to take it down, any big process (like a batch update or a yearly report).

So basically we can agree that every system should have resource limits. There are many different ways to put them in place, but commonly either the software you build (e.g. Python services) will use some component(s) (or implement their own), or use features of the web servers to limit certain type of actions based on some criteria.

Recently at work we wanted to build an internal REST API that would perform small tasks like Google Cloud Tasks (where you queue a task and when dequeued it calls an HTTPS endpoint and you're the one in charge of executing the task on one of the instances behind that hopefully load-balanced URL). To simplify the scenario, let's say we wanted to perform lots of jobs that individually should execute quickly but if massively batched could hurt a database. The best way to avoid problems is making hard for them to happen, so I wanted to put a limit to the amount of requests that the endpoint can receive, so the resources "breathe" enough to never reach too high values.

A good summary of choices regarding rate limit algorithms can be found in the following article: https://konghq.com/blog/how-to-design-a-scalable-rate-limiting-algorithm/

For example, to us didn't mattered much if we implemented a fixed or sliding window algorithm, we don't need that much precision, but one aspect was important: It had to be distributed, because the hosts are load balanced and sometimes there are few instances, but other times there are around a dozen, so leaving 2 tasks per second with 12 instances consumes more resources than when having 3 and could cause system instability. We prefered to be more accurate with load/usage predictions, so that ruled out alternatives like implementing rate limiting at Nginx.

Checking Python libraries the main requisites were for the chosen one to be distributed and easy to use (a decorator being the best option). After some digging, the winner was django-rate-limit, which offered:

• very easy setup as a django 1.11 middleware
• a fixed window distributed rate limit (using Redis for the distributed storage)
• a simple yet configurable decorator to mark http endpoints at the django views. As an added bonus it automatically returns 429 HTTP responses when the rate is exceeded, so no manual handling of exceptions!
• request-path rate-limit key, which while not perfect (no way to rate limit by ip or other custom mechanism like user_id or cookie), was good enough as a staring point and could be implemented in the future without much effort

The library implements one of the two official Redis recommendations of building a rate limiter pattern with INCR so it was good enough and race conditions small enough to not pose an issue.

We already have it working and I even did some quick django tests and confirmed everything works as expected.

As a fun fact, as the library requires Python 3, this was the main reason that I decided to give a try to migrating ticketea.com to Pyton 3.

Posted on 2018-02-01

Today I wrote a new blog post at ticketea's engineering blog, this time about how we migrated ticketea.com to Python 3 in two weeks.

It was an interesting task, and I think went well because "ignorance is bliss", as I hadn't used Python 2 I wasn't biased by fear nor knew the real reach of possible failures, so I just went on, fixing every single error and testing and testing and testing again until all looked fine, and then more tests.

Some libraries already had Python 3 branches (outdated but with quite some work done) and QA helped me so the merit is not mine alone, but I'm quite happy with the result and it is a pleasure to focus on just Python 3.6 (plus now we can start adding type hinting and other fancy stuff).

Fun fact: All of this originated with the desire to add rate limiting to a new (internal) API I was building. I will actually write here a small blog post about rate limits because I found two very good links with nice explanations and I think can be of use for others in search of similar features.

Posted on 2018-01-12

Apart from hearing podcasts frequently (e.g. commuting to work), reading books and lots of RSS and articles (it is hard to take out the FOMO anxiety, but I'm now below 100 feeds), I discovered a while ago that subscribing to some weekly newsletters provides me with nice summaries of topics in different areas. I might read all the articles, or maybe just give a quick glance of what's new.

At the time of writing this blog post, I'm subscribed to the following newsletters related with tech:

English

• cron.weekly: Linux related news and tools
• Database Weekly: Database and NoSQL related news
• Frontend Focus: HTML, CSS, WebGL, ... (sometimes content also present at Javascript Weekly)
• JavaScript Weekly: JavaScript news and articles
• Karumi's Newsletter: Development related news, mostly but not limited to iOS and Android
• Last Week in AWS: Amazon's cloud and services
• Novobrief: Spain startup ecosystem news (but written in english)
• Python Weekly: All things Python
• Security Newsletter: Security news
• SRE Weekly: Scalability, availability and operations related news

Spanish

• Bonilista: Miscellaneous topics, from tech and business to political rants
• Mixx.io: Tech and tech-related business news

I'm open to suggestions of additional (tech) sources so feel free to drop me a comment ;)

Posted on 2018-01-03

I don't like to predict or set expectations for following years, so instead this is just a small recapitulation of the key aspects of my 2017.

I switched job again (sigh). There's a saying, "things don't change unless you make them change". Sometimes change is hard, so as the company wasn't going to change to my expectations/desires I was the one that changed. And it is a pity as technically I cannot be happier to work there and what we already had but... At least I'm betting strong on the current one and so far I'm really happy (fingers crossed!). Also was a good exercise to do some CV cleanup and simplification, plus the small transparency exercise of adding the reasons of leaving each past position.

I'm in love with Python: After two years using it almost daily, it has some not-so-beautiful things but is so simple, powerful and yet nice to write into. Plus the huge ecosystem, the nice community around it... I'm doing all new experiments and pet projects using Python 3 and even started to give talks and participate at meetups again!

My grandfather died. After months with weekly visits to see him, the inevitable happened. But hey, I really wish to reach 95 as he did (working a garden until being around 90 years old!). This also affected my decision of changing jobs, I needed peace to settle my mind and for the first time in my life I gave my resignation letter with the idea of going home and then doing more interviews.

Talk less, do more. My twitter activity keeps at low levels, but I've done more pet projects than past years and managed to at least write one blog post per month, also tending to be of more appeal or at least have more techy content. I still have lots of ideas but at least some of them materialize now.

Letting go of things. I had hundreds of books, dozens of boardgames and book RPGs and lots of other "tangible decorative things", ranging from a LEGO Death Star to old videogame consoles. Now I keep a few dozen books, very few boardgames and excepting my miniatures (painting is really relaxing when I can spend some time) most decorative things are gone. I even reduced my hobbies both in number and in scope. I feel much better, like I have time again both to do geeky things and to spend time outdoors, with the family and the pets, etcetera.

Read more. Here is a partial ok only. Had a few periods along the year that I couldn't focus on reading as much as I'd wanted, or just needed distractions to ease my mind (videogames, movies, ...). I am hearing a lot of podcasts, watching some talks every month, and doing some online video courses (AWS, now a Google Cloud Platform ongoing one), but one of the points to improve for next year is reading a lot more.

Positive stance: Less complaining, more trying to be part of the solution instead of the problem, or else shutting up and moving on. The attitude of removing toxicity from my surroundings keeps improving things (even if I create a kind of echo chamber). Life is too short to spend my energies with bullshit.

Posted on 2017-12-17

• Against an Increasingly User-Hostile Web: "The web is open by design and built to empower people. This is the web we're breaking and replacing with one that subverts, manipulates and creates new needs and addiction." If you can only read one article, let it be this one. This essay enumerates reasons why I don’t migrate my blog to Medium and keep serving with those "old school" RSS/Atom formats, don’t have a Facebook account and absolutely no third party javascript on the web (my own crappy analytics with anonymized IP’s last octet and javascript-less "share buttons", but you can check for yourself). Also contains another explanation I give to friends and colleages: "Using an ad/content-blocker isn't cheating the system; it's taking very basic precautions".
• Uncle Bob and silver bullets: While I think the best tool against radicals is simply not following them, this is a good example of why this person might say or write good things, but also unrealistic ones (and sometimes, even a bit of bs).
• Visualizing Garbage Collection Algorithms: Really awesome way of learning the basics of mark-and-sweep, reference counting and even generational garbage collection systems.
• How we do Vue: one year later: A few tips and advices for using vue.js.
• How Redux Can Make You a Better Developer: A brief introduction to React regarding high-level aspects of it that might interest you even if you don't use it.
• Some of the World's Best Universities Just Released 600 Free (or Nearly Free) Online Courses: One never stops learning! Varied topics, not only tech.
• The Cost Of JavaScript Very interesting, as not only is the amount of code itself, but the parsing cost, processing/execution cost, etc. Nice also because provides not only a list of problems but also hints or directly solutions.
• Test-driven information system services Pretty similar to what we built at TheMotion for Contract-based testing
• New EU Consumer Protection Law Contains a Vague Website Blocking Clause: Sad that it actually lowers down some protections, in exchange of forcing something that is already being done (blocking websites).
• Firefox Quantum 57 for developers: The browser itself comes with lots of new stuff for devs, but it also runs blazing fast and consumes less memory. Combined with an opensource project that doesn't sends data back like Google Chrome, I've switched back to it (and updated my list of addons I use at Firefox).
• Move Slowly and Fix Things: Despite the name, a really interesting and almost mandatory read to think about what your daily job does, if you feel you're doing ethical work and improving people's lives, or just trying to generate more money.
• Elon Musk: The Architect of Tomorrow: Long but interesting interview with the guy. Best summary of his thinking: "An unfortunate fact of human nature is that when people make up their mind about something, they tend not to change it".
• Fearless Concurrency in Firefox Quantum + Entering the Quantum Era—How Firefox got fast again and where it’s going to get faster: Very interesting resources to learn why Firefox is so blazing fast (and is going to get better next year), why the need of a new development language, a new browser engine...
• Google is locking people out of documents, and you should be worried combined with Google collects Android users’ locations even when location services are disabled equals "we should really worry about Google being evil"
• No, you’re not being paranoid. Sites really are watching your every move: And if the previous news were not enough... yet another reason to use an adblocker (like uBlock Origin) with the privacy filters on.
• Uber Paid Hackers to Delete Stolen Data on 57 Million People + Uber hit with 2 lawsuits over gigantic 2016 data breach: No need for further details, just that is so sad how many unethical issues they pile up, a company with such technical talent doing things so wrong...
• .NET Core Alpine Docker Image Ready for Testing: Microsoft readies an Alpine docker container for .NET Core v2. Definetly seems to be commitment to make it trully multiplaform.
• PC vendors scramble as Intel announces vulnerability in firmware: The more complex a system gets, the bigger chances of problems... and seems to be a serious security one, allowing remote command execution on affected intel CPUs since 2015.
• pingfs: Stores your data in ICMP ping packets : Wow! Amazing proof of concept.
• Sibling domains cookies isolation + Why can foo.example.com set cookies for example.com?: We recently had at work some issues with sibling domain cookies, so I though would be of interest to share this links with info about the topic.
• Android Bug Lets Attackers Record Audio & Screen Activity on 3 of 4 Smartphones: Another scary tale, and what worries me is that Google is only patching the most recent versions of Android (instead of the most widely used ones). -The PC BIOS will be killed off by 2020 as Intel plans move to pure UEFI: Amazing how long are BIOS surviving, but glad to see a deadline to switch to UEFI.
• JWTs Suck (and Are Stupid) -> No need to agree with the whole talk (I do strongly disagree with some points and some "cookie advantages") but some concepts are interesting and it's true that JWT is not the holy grial of web sessions.
• Creating Optimal Reviews: Good advices inside
• Why Python is Slow: Looking Under the Hood: Great for learning something about Python internals, and I also learned about Ctypes and uses of NumPy thanks to the article!
• Voxel Space: Great explanation of how to draw pseudo-3D maps with voxels,based on an old MS-DOS game, Commanche. Includes javascript-based web demo
• YouTube's Search Autofill Surfaced Disturbing Child Sex Results: Youtube seems to be having a bad time properly catching wrong content, it will probably get fixed but is amazing that it slipped off under their radars until has become a scandal.
• El taxi de Madrid reclama precios más flexibles para competir con Uber y Cabify [ES]: Perfect example of why competition is healthy: cab system has been a terrible monopoly at Spain since ages, full of bad experiences (myself included) and probably among the most frequent traffic infractions most are made by cab drivers. Now that Cabify and others are penetrating the market and restrictions about licenses have been lowered, they panic and start to ask things that people asked since long and they rejected. Everything is such a chaos that there are multiple mobile apps and still many cabs don't even allow you to pay with credit card (and a few don't have the GPS on even being now mandatory by law), so any change can only be for better.
• Facebook is asking users to upload a selfie to prove who they are: An apparently innocent or even fun "request", until you remember how they are being so aggressive into facial recognition, so with this they can potentially teach the platform to detect you on any photo anybody uploads to Facebook. So glad to have deleted my account years ago.
• From inboxing to thought showers: how business bullshit took over: Maybe too long read but is interesting to see that bullshit comes further away in history than this last years
• Scaling Amazon ElastiCache for Redis with Online Cluster Resizing: Small yet interesting post about how Amazon achieved Redis cluster resizing without downtimes.
• Introduction to Firefox Debugger: Not too deep but interesting now that Firefox is coming back so strong.
• Google Kubernetes Engine becomes free of charge: As competitors add Kubernetes support, Google fights back offering their platform (and up to a point, their support). Competition is so good :)
• Preview of Amazon Aurora Multi-Master: AWS' implementation of MySQL (and PostgreSQL comapatible) in "beta" with support for multi-masters. If you could avoid failovers and their associated small but present downtimes, would be an amazing win-win.
• AWS Fargate: Finally stepping up on the poor container management solutions, either with the new Fargate "super-simple" mode or using ECS or Kubernetes.
• Free Python Games: Apache2 licensed collection of free Python games intended for education and fun, including some classics like Snake, Pacman or Pong, using the Turtle module to ease teaching coding to kids. I do remember using the equivalent Turtle graphics and library for Pascal before university...
• Leonardo da Vinci's Notebook: 'The Codex Arundel'. A collection of papers written in Italian by Leonardo da Vinci (b. 1452, d. 1519), in his characteristic left-handed mirror-writing (reading from right to left), including diagrams, drawings and brief texts, covering a broad range of topics in science and art, as well as personal notes. An amazing historial document made now fully public by the British Library.
• "stop paying the ransoms. We’re creating a billion dollar criminal industry instead of, well, setting up backups. We are monetising low skill crime."" -@gossithedog: Bitcoin might change the world, but the initial great de-centralized idea has been corrupted into an elecriticy-sink balck hole where people invest because price seems to only grow higher and higher while as of late seems to be the perfect place to by illegal drugs or pay ransomware :(
• MacOS Update Accidentally Undoes Apple's "Root" Bug Patch: Need more signs that Apple has become so mainstream regarding their OS? I only miss more MacOS-targeted malware and it will be exactly like Windows back in the late 90s/early 2000s.
• AWS Reinvent product announcements: So many things I just mentioned one or two, but here's the full list.
• The birthday paradox: Very interesting applied to hashing and non-repeatable random sequence generation, should be taken into account
• WebAssembly Now Supported across All Browsers
• Chrome Apps are dead, as Google shuts down the Chrome Web Store section: Web Apps is the future they say. By the way, is only searching them what so far has been done, as the articlle points out at the end direct links to Chrome Apps still work.
• ProcDump for Linux: Linux version of the ProcDump Sysinternals tool
• OpenCV.js Tutorials : I didn't even knew there is a Javascript version of this famous library
• Chrome 63 offers even more protection from malicious sites, using even more memory: More isolation means more data to keep multiple copies... But is not enabled by default.
• Use a .dev domain? Not anymore: This actualy bit us few days ago at work... google made .dev domain mandatory to be under HTTPS, so no more www.mywebsite.dev for testing purposes. From the only ones that should never get this kind of surprises (RFC) seems the almost only alternative is to use .test. Gets me mad that a company can make this decisions and break everything but... again is Google and as a company they have a history of changing things as they please.
• Evolution of : Gif without the GIF: Very interesting history of animated gifs and why for example Twitter replaceds any animated gif with an MP3 (spoiler: compression is a lot better).
• https://pgexercises.com/: Awesome resource to practice SQL in a very interactive way, with nice visual diagrams, etc.
• HP keylogger: HP had a keylogger in the keyboard driver, disabled by default but very easily activated.
• Bribes for blogs: How brands secretly buy their way into Forbes, Fast Company, and HuffPost stories: Really is a confirmation of something we mostly know, but good to have specific examples. In Spain I’ve seen also the opposite, magazines coming to small companies offering to write an “in depth article” in exchange of money. Articles that of course never mention this “paid” source, of course.
• Learn Pandas: Another learning resource, a Github repository to learn how to use Python data analysis.
• Stardust rebuilt + Z80 Emu Evolution: Spanish Spectrum game reverse engineered by their authors (lots of emulation tools also!) and a long but highly detailed article of the creation and evolution of a Z80 emulator.
• Treasure Trove of AACS 2.0 UHD Blu-Ray Keys Leak Online: It seems Blu-Ray encryption might have been broken but authors still don't want tho publitize it.
• AMD Finally Pushing Out Open-Source Vulkan Driver: Thanks to the Linux version of the driver.
• The Q# Programming Language: This is a bit mindblowing... a programming language for quantum computing.
• Lots of books about technology at Project Gubenberg
• How Email Open Tracking Quietly Took Over the Web: Thankfully most decent email providers allow not loading by default any image, but still outgoing links will track you, and the other darker approaches too (like remote font loading).
• WebXR is going to bring VR and AR to the masses. Here’s why: It is really good that technology is being pushed forward to have VR and AR everywhere, because as still the hardware is in its early stages, when it becomes powerful and enough everything will be ready for it.
• US regulator votes to repeal net neutrality rules: Net neutrality broke at the US, now ISPs can throttle or charge extra based on content you consume. Sad times for internet.
• 1000 different people, the same words: Really interesting results, makes you worry about the internal culture of some companies if the external wording is so aggressive.
• Suspicious event routes traffic for big-name sites through Russia
• A Look at the Improvements That TLS 1.3 Brings: Faster and more secure, a pity that still only Firefox and Chrome support it (and is not active by default yet).

Posted on 2017-12-15